Slashdot Mirror
ZDNet Admits Mistakes in Recent SecurityTest
drsparkly writes "Linux Today is running this
story claiming that the recent ZDNet Linux vs NT security `shootout' was biased against Linux. Apparently ZDNet had neglected to apply 21 available security fixes. They claim that `enterprise businesses would not want to apply 21 individual fixes' and `most large companies would prefer the one large, sweeping-in-scope, fix'. Do they have a point? "
If your source is correct, then this was a sysadmin test NOT a security test. If it were a security test the patches would have been applied.
As to the "real world" conditions this is BS. If they want to test real world conditions, get a statisically significant sample of sys. admins, give them all the same hardware and software and see how many boxes are secure in two weeks.
Either the people who ran these tests had a preconceived result or they are complete idiots (or both).
I have, yet this is currently experimental. Also it is small enough to be distributed as a single piece, enabling you to read it without tools.
Something like this would have been able to contain the ZDnet script in a tight environment, probably making the exploit much harder.
This is where the centralised method of distribution that FreeBSD et al use really wins. You just set up CVSup to run regularly and run "make world" when you need to actually install the patches. Strictly a hands off operation.
Just click on the .exe, reboot, and that's it.
Run dselect, select install, don't bother to reboot. Or, download all of the rpms, and run rpm over all of them at once. OR, download the latest service pack, decide if you prefer a security hole in file shareing, or a broken print service and who knows what else.
Speaking of enterprise environments, though, I think it would be unfair to leave out Solaris 7. It has 22 security-related patches as listed here: ftp://sunsolve6.Sun.COM/pub/patches/Solaris7.Patch Report Do you run Solaris at your site? If so, did you install all of those? Here, we've got scripts that install those patches on the Solaris boxes. Of course, change management is involved, too.
Sure, it would be nice if Red Hat paid more attention to security and quality control, but that's why I tend to stick with Debian & FreeBSD when feasible. :)
"enterprise businesses would not want to apply 21 individual fixes"
The usual "manager vs. IT dude" problem, I suppose:
The average enterprise manager could probably easily be persuaded to order their IT guys not use Linux for that reason. They always scare easily for things that are not their area of competence.
If the IT guy take the OS decision himself, it probably doesn't matter whether it is one fix or many. If he already selected Linux, then he probably also like the power and control it gives him.
No serious enterprise company should allow any automated tool to install any software without human intervention. While I am not aquainted with the security precautions in autorpm, if any, placing an amount of trust in a network-provided resource is the sort of error that gets system administrators fired for incompetance.
That aside, I prefer having several small updates, which allows me a finer granularity of which patches I install. Take for example a Sun patch cluster. Each patch is a in a subdirectory all its own, and the order in which they are to be installed is listed in a single text file. While the current recommended patches are available as a single tarfile, there is a fine level of control available.
--Gus
Sigh. You don't have to track down security fixes from different sources, and you don't have to recompile anything. Just go to Red Hat's updates page, download everything and do rpm -Uv *.rpm
"The invisible and the non-existent look very much alike." -- Delos B. McKown
I guess the main reason why GNU/Linux systems ship numerous small updates, whereas NT has huge single service-packs is, that any normal program (a package) under GNU/Linux consists of a well-defined set of files. None of which are *system* libraries (DLLs).
On Windows a typical application ships its own version of some of the *system* DLLs, thereby rendering the whole platform insecure if one of it's libraries has a flaw.
Thus the need for a huge service pack on NT. You need to re-ship updated versions of all libraries, and you need to re-install the service pack after each installation of a (seemingly unrelated) program, because NT DLLs are touched by *applications*.
Because of open source, we can re-compile an application that doesn't work with the system libraries we may have, thereby avoiding having to overwrite system libraries whenever we install an application. Therefore we can have small packages that update nothing but the problem. And therefore GNU/Linux will, unlike some other OS, have a massive share of the total server installations for many years to come.
That is, if rpm --freshen * is too hard to type, they shouldn't be running computers at all.
Hire someone with a clue, and go back to writing articles.
Seriously though, if you tried applying NT service packs, and tried rpm --freshen, you know who's got the lead (and for those who haven't tried, here's a hint: it's not the redmond guys).
With NT, you apply one huge service-pack that (somewhat) fixes the problems known at the time of the release of the service pack. Whenever you install a new piece of software, you have to re-install the service pack if you want to be sure it's effective.
With rpm you do the --freshen trick, once. If you install another piece of software, well fine, no worries. If another fix becomes available, just get them all and do --freshen, or get the one fix and --freshen. It's as simple as it gets.
I think it's much too common for clueless people to assume that it's hard to maintain a system they don't know (and haven't even tried to grasp), and assuming that the system with the most aggressive PR backing is necessarily much easier.
The only reason why we don't see more remote attacks on NT is because ``networking'' is somewhat alien to NT. Networking has always been an integral part of UN*X and Linux, so naturally a buggy networked application is almost bound to compromise the system in a cracker-friendly way.
Consider the incredible amount of local attacks on NT being posted weekly (almost daily) on Bugtraq, and you see why NT people should be really happy that NT is not a network operating system.
However, in deference to the long expertise of corporate IT managers, I hereby propose the following Industry Standard for Manageable Updates. Call it the RedHat Service Pack specification. I expect to see it hailed as a wonder of technological innovation and a great leap forward for the Linux communiy in providing security management:
Packaging (this part is proprietary, you don't need to even see it. avert your eyes):
Installing:
I expect news of this great manageability innovation to be trumpeted throughout the tech news industry. It should be referenced in the sales pages for Maximum RPM, but may require a separate publication of its own to explain this great technology to the world, especially the technology press.
Yes, there is -- they're calling it the RedHat Update Agent, and its main job seems to be to perform RPM upgrades automatically as they become available. It's hardly new, and if ZDnet had done any research (they read the HOWTOs, and Apache's security docs, and ignored the rest), they might have found it. AutoRPM has been in common usage for quite a while now -- it's a nifty little app that picks up the updates from FTP, NFS mount, etc., checks the PGP signatures, and installs the upgrades, then notifies you that it happened so you can check its work. Closes the vulnerability gap a bit.
Which presumably doesn't mean that they believe corporate IT to be a bunch of ignorant layabouts, but if I were a corporate IT person, and a reader of their publication, and also in the slightest bit competent with Linux, I'd be insulted. Perhaps they don't grasp the significance of a discrete package upgrade -- something MS has never really gone for. Root compromise hole in crond? Well, upgrade crond -- redhat publishes the bloody rpm -Uvh ... command to do that in every security advisory. It's a different methodology -- we usually have one upgrade package per main package -- and that, in the UNIX scheme of things, makes vastly more sense than clobbering all our package management systems (far superior to that offerred by poor NT) in favor of what they call "[making] fixes available in a more manageable manner."
ZD didn't do enough research while orchestrating this PR stunt, I suspect. Bring on the derision. ):
In principle, this sounds like a good thing. In practice, enabling Windows Update opens a big security hole:
(from a mail to the RISKS mailing list by Steve Wildstrom ).
Debian's system doesn't rely on this sort of stuff - you have to actively ask for packages. However, it still relies on your trusting the FTP server you get them from. Official packages will be signed - but do you know that all Debian developers with the key will keep it safe?
OK, let's just see how difficult Linux's 21 separate updates are to install - (assuming you're stupid enough to want to wait for 21 updates to accumulate):
$ rpm -Uvh ftp://ftp.mydistribution.com/pub/updates/*.rpm
Now that was such a lot of work wasn't it?
Consciousness is not what it thinks it is
Thought exists only as an abstraction
Because of open source, we can re-compile an application that doesn't work with the system libraries we may have, thereby avoiding having to overwrite system libraries whenever we install an application. Therefore we can have small packages that update nothing but the problem.
;-)].
Agreed, this is key. Perhaps even more important though is the ability to statically link, so that binary releases can be built, a la Netscape, with everything version-independent (except for kernel dependencies which are few & far between thanks to the efforts of people like Torvalds and Cox). So you can download the binary app and expect to have it work, as it nearly always does when built this way [ed note: and when declared stable
Another factor of crucial importance is for this linking process to be carried out by anyone who wants to do it, i.e., access to the source code is important just as you say, but not necessarily for the same reason. Also consider - it's possible to re-link a dynamicly linked app to become a statically linked app using a linkage editor... I don't know if Linux has such utilities because I'm a relative newcomer to these development tools. But if they're not they're, we need them badly.
And therefore GNU/Linux will, unlike some other OS, have a massive share of the total server installations for many years to come.
(a) That and 1,000,000 other reasons
(b) It already does. (Check the situation as of last spring)
Life's a bitch but somebody's gotta do it.
In order to simulate a real web server, PC Week Labs had to have it exist for a reason. So they installed a Classified Ads application. And it had a hole.
If you read the page where they described the configuration changes they made, you'll see that they made more changes to NT then they comparatively made to Linux. As in, it was biased a lot more then just not installing all the patches on Linux. They made registry changes. *By* hand, I presume. They moved some of the admin tools to a different location on NT, but didn't move the comparative tools on Linux.
They were comparing apples to oranges anyways. They used a CGI application on Linux and a scripted application (ASP) on NT. Come on, to be fair they should have used a scripted application on Linux also. They *know* what php is, they used it for the forums
-Brent--
Six months for Red Hat to be specific. Probably a lot faster then MS releases service packs. That's basically what RH 6.1 is, a service pack in MS terms for 6.0. There is only one difference. Red Hat replaces their old version with the new version. If I buy a copy of NT today, would I still have to install SP5? I imagine so.
Still though, I wouldn't want to have to wait until the next version was released to fix security holes. Not even on NT.
-Brent--
> Do they have a point?
No.
Imagine you buy 21 different programs from 21 different vendors, but you buy them all in the same shop, with one single bill, maybe bundled in a single box.
It's obvious that each vendor will fix only their own part and you'll get 21 different fixes.
What you can expect from the shop is that they bundle the fixes in the same way they bundled the programs.
And this is what Linux distributions already do (Debian at least).
Cheers!
The difficulty of applying 21 security fixes may be a bit of an issue (not that I find anything difficult about "rpm -Uvh *.rpm"), but that sure as hell doesn't justify ZD's decision not to apply the fixes. Applying the vendor's fixes is not optional, no matter what system you're running.
Do they think that if a business had its several-thousand-user network were compromised, the execs would accept the excuse that there were just too many vendor-supplied patches to apply?!
--
The dog ate my
What?
It's not the managers who are going to be doing the work, they're simply going to mandate "This will be secure!", if they know enough to mandate anything at all.
Most admins out there may not like doing multiple patches, but there are advantages. Some patches can open other holes, and using one of NT's service packs isn't guaranteed to fix everything either. And having them separated out allows an admin to more closely monitor what's been patched, rather than than NT's way of doing things.
It's like the NT vs. *nix discussion itself: each has its pros and cons. What it all boils down to is the competency of the guy/gal running the box.
> if I had to apply 21 individual patches to 200 machines, I would be ready to punch someone.
Just copy them to an upgrade directory, cd, and type rpm -Uhv *.rpm on each system. How does that compare to installing one NT service pack on each of those same 200 systems?
> the only time you are allowed to apply patches is outside business hours which for these boxes is between 9pm and 3am. That's a lot of late nights.
Per above, except have a cron job run at 9pm every night to -Uhv whatever files you put there during the day.
Any patch that we apply would have to have a corresponding backout procedure
Just re-install --force your prior version of the RPM for the same package.
Would you rather back out (say) one of 21 RPMs with rpm --force, or back out an NT service patch? And even if they were the same amount of trouble, do you want to throw out everything the SP offers, just because one of the patches on it sucks? Some of the other patches in the SP might accidentally fix something without breaking something else.
ZD doesn't have a case. Because they don't have a clue.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
> A security update from a vendor should be applied IMMEDIATELY
Are you saying you don't like the MS timeline?
Media reports the hole.
MS Months 1-3 : Deny that the problem exists.
Media reports an exploit of the hole.
MS Months 4-6 : Admit that there is a problem that can be exploited by people with esoteric knowledge (who wouldn't consider doing such a thing!) under rare conditions, but that isn't a problem for ordinary users.
Media reports a high-profile exploit of the hole.
MS Months 6-9 : "We're working on it."
Patch is delivered.
Your Months 10-12 : Sysadmins either wait to see what happens to the suckers that apply it first, or else spend these months trying to repair the damage and lock out the new holes created by the 'patch'.
Media reports the problems caused by the 'patch'.
MS Months 13-15 : Deny the problem exists...
Repeat until bankrupt. Season the above liberally with vaporware announcements about how the next new product is going to make all your troubles go away.
Meanwhile, who's been reading your mail?
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
Call this flaimbait, hidden linux worship, sour grapes or whatever...
.02
But ZDNet (and Yahoo) lost much credibility with me when they couldn't figure out that Jesux was a joke.
My
Quux26
My
Quux26
www.crashspace.net
This wasn't even a remotely valid security test, so who the heck cares about the details?
There's no way am I going to make a decision based on what happened in a test like this. I'm not even going to take it into consideration. It was entertaining, and I enjoyed it, I enjoyed reading about it, I hope the ZDNet people had fun doing it, and I hope the people who hacked it had some jollies.
But the results are as meaningless as Bill Clinton's sworn testimony.
Yes, they would have. They probably would have prevented jfs from getting root. If he did manage to get root then he would have uncovered a new security hole. Unfortunately, due to ZD incompetence, we have learned absolutely nothing from this little exercise (except possibly the magnitude of ZD's stupidity).
I do agree that the *BSD way is a very good one, though.
---
--
If I actually could spell I'd have spelled it right in the first place.
(apologies for the funky formatting, it used to be a nice table but
According to this logic, Linux is cleary more secure than Windows NT, especially when you `weigh' the numbers with the popularity (or lack thereof) for the individual operating systems.
Of course, the really interesting number is the 0 for OpenBSD. Pity though I have no idea how many OpenBSD sites there are out there...
--frank[at]unternet.org
Well I don't know about enterprise settings but:
I worked for my college's computer services this summer; my job mainly consisted of applying patches to NT for 3 months. Admittedly, we have many more computers than you (I'd estimate 800+ or so in public labs and administrative offices, we are extremely wired for 1500 students) but with 5 other students and the college's professional staff we were unable to apply service packs to all of them. Why? because when installing that "one big easy install" not only do you have to kick the user of the machine off (they really don't like that) but you actually have to be there the whole time to click on those "friendly" buttons. NT's profiles (they are like home directories except they suck) aren't always updated correctly by the upgrade so the users have to fix and reinstall their programs. Computers that were running NT SP3 w/o IE4 a little bit slow now are completely unusable with all of the "improvements" that were "necessary". Not to mention differing support of hardware between the different service packs; SP4 broke some computer I worked on because of incompatibilities with the BIOS on some Compaqs which had no problems at all with earlier versions.
In contrast, if we had been using Linux, even if I hadn't created a script, I could have opened up a sh*tload of telnet sessions from the cold room and, without the user knowing or caring, updated each and every machine at the same time with only the packages necessary.
1. NT itself is a piece of crap to even maintain properly. SP2 and SP4 only proved that Microsoft does not properly test third-party products with their Service Packs. We waited until SP5, and ONLY after several rounds of serious tests to make sure that nothing got hammered.
1a. Certain clients that used third-party messaging, web server, or application server products made by competitors such as Sun or Netscape had serious issues when SP4 was installed. So did Samba in one of our test cases. Leads me to believe that M$ wanted SP4 to push the M$ products over the competing products.
2. The Install of NT itself on a bare box is abyssmal. It takes about 10 reboots to get everything installed right with the Hot Fixes and the Service Packs. Linux takes one with 6.1. By the way, the install is about 5x as fast as W2K even in graphical install mode of RH6.0.
2a. Plus, there's the monitoring of NTBUGTRAQ for the latest exploits. Sometimes they hit 5 a week. The MS people post fixes 2 weeks later.
3. Linux, on the other hand, is mostly stable. Fixes are out within hours. I don't have these issues.
4. Linux isn't tightly integrated with Apache.
If I want to change web servers for reasons of security or such then I can. Can I do that easily with NT? The answer is no, unless you run Apache for NT. Then you still have the issues of the operating system.
4a. IIS is the biggest security hole of a web server I have yet seen. The bugfixes hardly fix anything. Doubt me and think NT is god? Read NTBUGTRAQ or actually run an NT server connected to the Internet. Microsoft and their COM objects are causing a whole mess of havoc.
5. Security hole in a Perl script on the hackpcweek site? I wonder why nobody tried to do the same with COM objects or the numerous buffer overflows on NT? Better yet, let's see how long it takes Redmond to come out with a fix! IF anyone wanted to not follow the rules of that contest, I am sure something like that would easily take down the box.
6. I hear too much from NT admins about "Wait until Windows 2000". Y'all can shut up about your vaporware. I interviewed two admins. One was a W2K freak. The other mentioned that MS should fix their products before releasing new ones. Guess which one got the offer? Shut up about how great MS is until I see stable shipping product or get out. Linux is right here, right now, and is constantly being updated. It's also open source and audited by thousands. Beat that, Redmond. Giving a closed source preview of a product doesn't make it like Linux. Open the source and show those API's like WNetEnumCachedPasswords.
6a. I have seen portions of that code, and it is MESSY. They probably won't release it out of embarrassment. I wouldn't.
7. ZD is advertising-driven. Guess who buys most of their advertising? Microsoft. Do you HONESTLY think ZD is going to bite the hand that feeds them? I think not. They are Microsoft's bitch. Anyone who reads anything from ZD should realize that. It's a PHB magazine, meant for people who choose not to pay attention to what is going on in IT. Until Red Hat, VA, Sun, SGI, and other non-MS companies advertise, then they will be continue to be the puppets of Redmond.
Until next time....
I think the main complaint is an absence of parity between the two platforms. On one hand, NT had the five service packs applied, which are IMHO fraught with more difficulties to install than rpm'ing 21 patches. MS's service packs are renown for breaking other things from previous packs, and are usually released a long time after the bugs they fix are identified.
I really wouldn't have a problem with this at all, if ZDNet hadn't made the blanket conclusion that NT was easier to secure. That's an overwhelmingly ignorant statement to make.
Before applying SPs I wait at least a few weeks to see what people report as breaking under the new SP. There's usually something, and all too frequently (two NT4 SPs out of five!) applying an SP has a detrimental impact on system stability.
On top of that you may have to reapply SPs after installing new packages (particularly those from Microsoft) and you want to create a new emergency repair disk. These things are not necessary under Linux.
IMO, having adminstered both systems (and a bunch of others) for years, I much prefer the small patch approach where I can pick what I want to apply according to my needs: e.g. if I'm not running ftp I don't really need to apply an ftp patch.
But as it turns out there is a way to get all-inclusive patches for Linux. Install a new release. They come out every few months, much more frequently than Microsoft service packs, and generally include all previous patches. The upgrade process is fairly similar in difficulty to applying an NT service pack. Interestingly this isn't mentioned.
Interestingly, ZD says "Imagine the work involved in integrating 21 separate fixes into a change process to be deployed across an enterprise." Actually that doesn't have to be a lot of work. You can set up a master system and use rdist to propagate patched software to everything all at once. This kind of environment is easy to set up (the software is stock) and allows the software to do the grunt work of upgrading systems. You need to buy extra software to do this kind of mass upgrade on NT.
jim frost
jimf@frostbytes.com
"Of course new users are still left to install all 21."
I'm not arguing that small, isolated patches are infinitely superior to mega-packs including both fixes and features.
However if a company like RedHat wants to provide support that people would buy, then making a patch or script available to fix all known security problems since last release might be a worthwhile product that new users would appreciate, especially those switching from Windows.
If you want to get into ease of use features, something with the functionality of Windows Update could also be popular. It should be done Unix style though. The update site sends the information about what is available to the local computer on request, which then compares it to what is installed and offers the user an opportunity to select packages to update or install. From this a script is generated locally that will download and install the required software. Category filters for "Security", "Bug", and "Feature" would also be nice.
Perhaps their new online update support in 6.1 addresses this. Can anyone describe it for me?
Not after the Red Hat updater dingus in RH 6.1!!!
As I inderstand it it's automatic? is this correct? I have not had a chance to check it out.
> bin
> get *rpm
> bye
rpm -Uvh *rpm
Now really how hard is that? This "enterprise" crap is making me sick. These enterprises are hiring people who have peanuts for brains? They would much rather go to Microsoft's website, find the latest patch, download it, sit through the update, reboot the computer AND do the update and reboot process again after they install a new application (This is recommended by most all NT service patches). How many steps is that?
Anybody who can use ftp will tell you that it will take less time and effort to update the Linux machine. Now the "ENTERPRISE" IT guys, they just have a small problem.
They have never heard of ftp.
But they are perfectly capable of maintaining the company mainframe. A a whole lot of them work at Ebay and ZDnet also.
The Debian distribution has set up to do pretty much exactly what you're asking for for a long time now (right down to the distribution of ISO 9660 images for offline machines). In addition, the updates and fixes are better tested and more independant from each other than the corresponding ones in Windows, resulting in a more stable overall environment. It refrains from adding the security holes that Windows Update gives.
Personally, I prefer RedHat, because it gives me more individual control, but Debian sounds like it would be far better for you, and get you away from the nasty broken Service Packs.
----
----
Open mind, insert foot.
I now have a completely up to date 3.3-STABLE FreeBSD installation on my trusty old P90 that used to run a crufty old RedHat 4.2 install. By watching the FreeBSD mailing lists, I can tell if there's something new I need. If so...
cvsup stable-supfile
make world [1]
make install
make kernel
mergemaster
reboot
Presto! Completely up to date system. Why isn't it this easy with anything else? Why are binary distributions/updates/patches/etc so popular?
[1] Okay, this step takes seven hours on a P90.
I maintain that it is better to install isolated patches as opposed to one huge monolithic upgrade (as in service packs).
I don't mind upgrading an FTP or bind (or whatever) RPM on my servers, but I absolutely will not install an NT service pack on a production server until waiting at least a month to see what kind of problems arise. I made the horrible mistake of installing SP4 on one of our NT servers. Never again.
Jason.
So "most large companies would prefer the one large, sweeping-in-scope, fix" huh ? Quite right. Our corporate MIS has banned the application of hot fixes, patches or service packs beyond SP3 because ... wait for it ... it makes NT too unstable .
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Why are they complaining about having to install 21 patches? They needed to install 4 with the config they were using; cron, kernel, net-tools, and dev updates. None of the other services were installed thus they did not need updating. Maybe update X if they actually installed it and libtermcap (this is a fix for a local exploit, but better safe than sorry). So maximum of 6 updates.
On NT they installed SP5, IE 4.01, option pack 4 and SQL server SP1. That is 4 updates.
gee, strikingly similar...
Q.
The Red Hat fixes would have limited the scope of the intrusion, but the bottom line is that the guy got a shell at all because the 3rd-party CGI was buggy. This will be a problem if you're using NT or Linux or True64.
I'm torn on these kinds of tests. On the one hand, the test is attempting to prove the security of an operating system distribution, so that's really all that should be running. On the other hand, you are going to want to do something with that machine. Certainly a stand-alone Linux box with nothing else on it is not much of a real-world test.
In the end we're just serving to prove an old truism of security: You put a firewall in to keep out the 13-year-olds, but to stop the determinied crackers who are targeting your site in particular, you need to audit every piece of source you run. A very tall order, and always painful. It comes down to risk analysis and trade-offs.
[QUOTE]
, 2346293,00.html
All I have to say about
http://www.zdnet.com/pcweek/stories/news/0,4153
is that you all are idiots.
I rarely write about things, but this is an outrage. Anyone who thinks that
MS distributes all it's fixes in one large patch is a fool. I should know,
I was engineering lead on www.starbucks.com, one of MS most prominent sites.
In order to deploy a server, we would apply the latest service pack and then
between 30-60 hot-fixes. And that was just for the default software. Other
packages, like SQLServer, had at least two dozen hot-fixes.
A lot of times, these would conflict with each other in strange ways, and
uncover other bugs, which made it very difficult to deploy any fixes at all.
I would often try them out on my desktop (an NT Server) first so as not to
endanger the development environment. We even had one case where a hot-fix
wiped out our SourceSafe DB....
In contrast, the two Un*x OSs I use on a regular basis, Solaris and Linux,
have no such problems. Packages and RPMs are small, well-defined fixes to
particular problems, not some ubber-thing that has to itself be patched.
I don't know where you get your writers from, but I sure am glad I don't
read any of your publications. And with information like this (i.e. totally
useless and factually incorrect), it's doubtfull that I ever would.
Chris Maresca
Project Engineer, Organic Online, Inc.
ckm@organic.com
[/QUOTE]
-- I don't have a cool sig.
I like how I go to one website, and it automatically tells me what I do or do not have installed. Then I get presented with a list of new patches, arranged neatly into ranks like Critical, Highly Recommended, Fun and Games, even Beta Testing. I can even get told within minutes of a new critical patch being posted by installing Microsoft's Critical Update Notifier. Each patch included a description of the component involved so I can choose if it is right for that computer. Then, after checkmarking all the items I want, click a button to download and install the patches automatically.
= -=-=-=-=-=-=-=-
This is, in my opinion, a good system and I compliment Microsoft for adopting it. I only wish that the *nix community would be willing to host similar update servers, particularly for the popular distributions.
There are just a couple things that I think should be changed:
1) Link to knowledge base and security alerts. When I see an item listed, I want more than just a one or two line blurb. And vice versa...if I get a security alert on a mailing list, or find a reason why I'm getting a certain bug, I want to click a link and see the fix added to my downoad queue.
2) Make it easier for it to work with secure or offline servers. I should be able to download an ISO image that contains an entire copy of the update website. So, all I have to do is pull down the ISO, burn it, pop it into the CD-ROM of the secure or offline server and PRESTO! I can browse a local copy of the same update site.
3) Download histories with option to uninstall. Right now my Windows Updates are buried under a half dozen items in some Add/Remove Programs control panel. I'd rather be able to see a list (sorted by date) of items I have installed so I can check off the one I want to uninstall. So, if I SWEAR it's a patch that is causing my problem (even if tech support doesn't agree with me) I don't have to reinstall to get rid of it.
Service Packs stink because I get a whole bunch of stuff I DON'T want just to get the one of two things I DO want. The only reason I install Service Pack 3 on stand-alone machines is so I can install MSIE...and the only reason I install Service Pack 5 on those same machines is so I can use 17GB hard drives. Sure, I could probably abort the install after it decompresses the files and just install the new ATAPI.SYS file...but then I'm skating on "unsupported territory". So I have cross my fingers and pray that this isn't another Service Pack 2 or Service Pack 4 or lose my support options.
I think everyone agrees that individual patches would be better since it allows ultimate user control. The only problem has been keeping tracking of where they are, what they do, and which have been installed. So, let's get them all organized...how about it?
- JoeShmoe
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
It's a little-known fact, but ZDNet recently held a car security test. They left two cars equipped with different security systems on the streets of LA, to see which ones real-life crooks could steal. The first car, equipped with MS MySafeCar, was locked, secured, and parked next to the second car, which was a convertible with the top down, keys in, and Linux Carsec turned off. The second car was stolen, prompting ZDNet employees to rejoice and marvel at the advertising budget for, er, security miracle that is MS MySafeCar.
When Carsec proponents noted the discrepancy between the two cars, ZDNet replied that "the average car user would not want to lock 2 to 4 individual doors."
ZDNet, in response to the information that Carsec comes with power locks, stuck their fingers in their ears and starting humming "Ol' MacDonald."
Do they have a point? Yes, atop their heads.
-- I can't think of anything witty to put here. Sorry.
In an update to the story, an anonymous source at ZDNet admitted that they used a genuine IT manager during the tests. "The decision not to apply the fixes came about due to our adherance to realistic simulations. We feel most IT managers are clueless, so we used a representative sample from our own labs. He made the decision," said the source, speaking under conditions of anonymity. "We feel this better represents the real world scenario."
In unrelated news, seismologists reported a strange disturbance, which they claimed was caused by thousands of sysadmins nodding their heads in agreement at the same time. The phenomenon has tentatively been titled "the Slashdot Effect".
Having been an NT admin for awhile... It is not just a question of installing five huge service packs. And I'm not talking about hotfixes either.
There are a number of pieces of software from Microsoft that require the service packs to be applied in differing order:
The place I used to work before used Site Server (extension to IIS). For the personalisation feature to work on this, a completely bizare sequence had to be followed:
Install (approximate - I think this was more complicated):
Service Pack 3
Internet Explorer 4
Option Pack 4
(some crucial DLLs have now been deleted/overwritten with incompatible versions)
Service Pack 3
Option Pack 4
Site Server 3
You can now install Service Pack 4 & 5 if you want more things to break or you can cut your losses and stick to things that you know work (even if they aren't secure).
The problem with this process is that it is badly documented, denied on Microsoft's site and unknown to most MS users. We got this process from someone who spent days installing and uninstalling the software until it worked. Therefore it takes *days* to install a "decent" version of NT.
This is not the worst bit. The worst thing is that we bought Site Server for all of those built in features (many of which simply didn't work). It wasn't cheap and we ended up just writing our own stuff due to the poor quality of the documentation, lack of speed (dual Pentium Pro, 128MB RAM) and general flakiness.
The problem with all this software is that Microsoft doesn't write applications anymore. Everything has hooks in the O/S which means that departments within MS end up writing software that messes with everything. Incompatibilites arise and no-one is willing to tell you how to fix it without charging you huge consultancy fees.
My new web server boxes run Linux. When fixes come in, thousands of users are willing to help you out with any problems you have. They actually know. The applications do not send tentacles into the O/S, choking functionality out of other applications. My sites run fast. I never need to write ASP in my life ever again. I'm happy again.
Other example? To get a certain feature of MS Visual Interdev running on her machine, a friend of mine had to remove Service Pack 5 & 4 from her machine (Then re-install SP3). Only then would database diagrams re-appear as a feature...
I sense that many people here have not actually really experienced the joys of NT first hand. It is much more of a nightmare than you think. And good NT admins simply don't seem to exist. I'm sure there are some out there. Maybe. The recent joys of the Windows 2k machine that MS couldn't keep up due to running out of disk space, etc indicate that there simply aren't any. Even at MS.
I also know of a well know a major UK hosting provider which is withdrawing the NT dedicated server hosting. Too many problems. Too many security holes. Really bad remote management tools. End of story.
</RANT>